[Oisf-users] Best way to GET packet content and sent it by email

Alan Wanderley dos Santos alan.santos at rnp.br
Wed Dec 30 14:14:26 UTC 2015 

Hi Peter,

Indeed, it can be dangerous, but, we are prepered for this. We are the CSIRT of RNP (Brazilian National Research and Educational Network), so, all this emails will be sent to us (for a unique account). After this, we process these mails and send to correct clients. We are working with ~ 90k events/day. Of course, these events are send for a lot of institutions and universities around the country (We have ~1200 clients).

I'm working hard to avoid false positivie, so, analyse the payload is important to do it.

Thanks by your help.

Regards,

-----------------------------------------------
Alan Santos
Analista de Segurança
Centro de Atendimento a Incidentes de Segurança (CAIS)
Rede Nacional de Ensino e Pesquisa (RNP)
(19) 3787-3314 | alan.santos at rnp.br

----- Mensagem original -----
De: "Peter Manev" <petermanev at gmail.com>
Para: "Jason Ish" <lists at unx.ca>
Cc: "oisf-users" <oisf-users at openinfosecfoundation.org>
Enviadas: Quarta-feira, 30 de dezembro de 2015 6:42:08
Assunto: Re: [Oisf-users] Best way to GET packet content and sent it by email

On Tue, 2015-12-29 at 14:33 -0600, Jason Ish wrote:
> On Tue, Dec 29, 2015 at 2:20 PM, Andreas Moe <moe.andreas at gmail.com> wrote:
> > When you say this output is a little differet from the packer, could you
> > specify? For example would it give normalized and decoded (ex. GRE, http
> > gzip payload), or tje raw "i matched on this packet" like unified records
> > are.
> 
> Generally just more context, especially if the alert generating data
> crosses packet boundaries.  I just find it more relevant to knowing
> why the event was triggered.  I'm sure there are more details I'm
> missing, but haven't looked into it.
> 
> Of course with eve.log you could log the packet as well, and send that
> in an email as well. I just find the payload more relevant.
> 
> >
> >
> > tir. 29. des. 2015, 17:48 skrev Jason Ish <lists at unx.ca>:
> >>
> >> On Mon, Dec 28, 2015 at 7:40 AM, Alan Wanderley dos Santos
> >> <alan.santos at rnp.br> wrote:
> >> > Hi all,
> >> >
> >> > I use a script to grab each event from fast.log. For each event, the
> >> > script send a email with the event data (just the line from fast.log). How
> >> > can i get packet data in human readable mode and send it in this same email?

This could be really dangerous  - what if you receive 5000 alerts within
a few seconds ? The way you explain your set up - it would mean that you
will send 5000 e-mails? (you or your organization might get black listed
that way)

> >> > I try use pcap.log (and tcpdump for read it), but, there are not any kind of
> >> > identification that i can connect an event with a specific packet data. I
> >> > think use the time, but is not a effect way to do this(Can be 2 or N events
> >> > in the same time). Other option is match every attribute from event to
> >> > package data (ip_source, ip_dest, port_source, port_dest, protocol, time
> >> > etc). But, i think that isan't the best way to do the job.
> >> >
> >> > Can you help-me guys?
> >>
> >> I'd look at the eve.log instead of the fast.log. It gives you the
> >> option to include the payload (a little different from the packet,
> >> usually more useful) in a printable format.  Its also JSON, so
> >> depending on what you are using for your script, it may be more useful
> >> as well.
> >>
> >> Jason
> >> _______________________________________________
> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> >> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> Suricata User Conference November 4 & 5 in Barcelona:
> >> http://oisfevents.net
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net


_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net

More information about the Oisf-users mailing list